October 3, 2015 at 3:22 pm #5691vasudevanmsParticipant
We have just started exploring using the OpenXX suite of services to enable our AuthZ and AuthN solution. At the moment though we are considering using only OpenAM and OpenDJ wherein OpenAM will be our Policy evaluation Engine and OpenDJ our data repository. I noticed that the REST API for OpenAM exposes some API’s to create and manage identities. How is this different from OpenIDM provisioning? The OpenAM documentation clearly states that OpenIDM is the recommended way to provision users. In which specific scenarios will I use OpenAM Identity CRUD API?
Thanks in advance
VasuOctober 6, 2015 at 3:26 pm #5704ssripathyParticipant
This could make for a lengthy discussion, but for the sake of brevity here are my 2 cents.
First of all, OpenIDM CRUD API would provision to its own database backend repo (ex: Oracle, MySQL etc). After which you would need to sync to OpenDJ based on your requirements. OpenAM/OpenDJ should be used for authN/authZ and so ideally a user profile in OpenDJ should store attrs pertinent to that functionality. CRUD API in OpenAM lacks flexibility available in OpenIDM, Plus in OpenIDM provisioning use cases, you can implement RBAC and fields that afffect sync to targets other than DJ such as AD, Google etc.
Not knowing your use cases and if its merely a pilot for some demo, using OpenAM CRUD API would be just fine to demonstrate some basic functionality. It would be best to use products based on their individual strengths, and for that the documentation can reveal to you what that would be.
-sridharOctober 7, 2015 at 1:04 pm #5716vasudevanmsParticipant
Thanks for sharing your insight on this. Appreciate that. Very broadly our use case involves multiple tenants who may share a single identity repository and also possibly the same Realm. To mimic RBAC we are simply creating LDAP groups with specific privileges associated with each group. Membership to a Group would equate to a grant/deny access to certain resources. Also in our case our identity repository is not expected to integrate with external identity repos. I can see a clear use case in such cases ( external identity repos) where OpenIDM would make perfect sense. But in our case I am on the fence. Thoughts?
VasuOctober 7, 2015 at 6:05 pm #5718ssripathyParticipant
So, with a provisioning product like OpenIDM you have the flexibility to write your own custom endpoints if in the future your delegated administration requirements change or become more complex. Plus you have the flexibility to build workflows and a UI of your choice. Reporting and role based features are going to get better in the next version.
The choice of just sticking with OpenAM/OpenDJ in this case may seem fine in the short term, but for any complexity not provided by that CRUD API in AM would need cracking open the OpenAM WAR and tinkering to make it do what you need it to do. The other choice would be that you may need to build your UI client and then make REST calls to OpenAM and REST/LDAP calls to OpenDJ to fulfill your requirements. Either case, it depends on your situation i.e immediate vs long term needs.
You must be logged in to reply to this topic.